Edit post Follow this blog Administration + Create my blog
Cisco & Cisco Network Hardware News and Technology

Tutorial: Cisco Routers Add Web Security with Cisco ScanSafe

November 14 2011 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

IOS adds in proxy features to forward web traffic to cloud web security offering

Cisco launched this feature to the market at Interop. In a nutshell, it provides IOS routers with intelligent, identity aware, traffic redirection to the Cisco ScanSafe web security cloud offering. ScanSafe provides the following web security features as a cloud service:

  • URL Filtering
  • Scanlets analyze all elements of a web request including HTML, JavaScript, Flash and even obfuscated active scripts
  • Zero-day malware prevention
  • Protection against Phishing attacks
  • Granular Reporting with a multi-tenant design
  • 100% uptime over the last 8+ years
  • Heuristic Malware identification


Here is a graphical look at how each web request is processed in the cloud:


This means that http and https traffic will be redirected from the router to the ScanSafe cloud where it will be filtered according to your policy settings. In addition to the redirection of traffic, the ISR G2 will also provide identity (group and user based) to ScanSafe for granular policy selection. Identity can be obtained using multiple methods (AD, web auth, etc) but Active Directory will probably be the most popular. The router encrypts all identity info before it is sent to the cloud.


This type of feature will allow companies to securely stop back-hauling web traffic from remote site VPNs to the central site and back out again. It also allows for a common web security policy across remote sites, central sites, and even remote hosts with the AnyConnect ScanSafe integration. Sending web traffic directly to the Internet results in performance and user satisfaction improvements and decreased bandwidth requirements for HQ. Here is a simple graphic to illustrate this intelligent redirection of web traffic.


Now on to how you configure this on the router/Cisco routers.
First configure Identity on the router. This example will focus on active directory

LDAP integration.
Ldap server ad-server
transport port 3268
bind authenticate root-dn cn=scansafe,cn=users,dc=test,dc=localdomain password 7 4424A34232
base‐dn dc=test,dc=localdomain

search‐filter user‐object‐type top
authentication bind‐first


Next, create an ldap group

Aaa group server ldap ad-servers
Server ad-server


Now Define ip admission control:

Aaa authentication login cs-aaa group ad-servers
Aaa authorization network cs-aaa group ad-servers
Aaa accounting network cs-aaa none

Ip admission virtual-ip
Ip admission name csauth ntlm
Ip admission name csauth order ntlm
Ip admission name csauth method-list authentication cs-aaa authorization cs-aaa accounting cs-aaa
Ip http server

Interface Gig0/1
!Internal interface
Ip admission csauth


Now that we have identity configured we move on to configuring the scansafe redirection commands:

parameter-map type content-scan global
server scansafe primary ipv4 port http 8080 https 8080
server scansafe secondary ipv4 port http 8080 https 8080
license 0 source interface GigabitEthernet0/0
timeout server 30 user-group ciscogroup username ciscouser
logging server scansafe on-failure block-all


Turn on content scanning on the external interface:

interface GigabitEthernet0/0
!external interface
ip address
ip nat outside
ip virtual-reassembly in
ip virtual-reassembly out
content-scan out


To whitelist sites you create a parameter map like the following example:

parameter-map type regex site_param
pattern google
pattern cisco
parameter-map type regex browser_param
pattern Chrome
content-scan whitelisting
whitelist header user-agent regex browser_param
whitelist header host regex site_param


Supported Cisco ISR G2 Platforms and requirements include
-19xx, 29xx, 39xx
-Security feature license or higher is required
-Valid Cisco ScanSafe license


Cisco will release the IOS code end of this month. It will be 15.2(1)T. You can find more information at these links.


Share this post
To be informed of the latest articles, subscribe:
Comment on this post
Hi I am so pleased I found your blog,
Your computer is rattling instructive and your articles are wonderful.
Kondiloma akuminata atau yang sering disebut sebagai kutil kelamin, merupakan salah satu penyakit seksual menular (PMS) yang disebabkan oleh virus yang bernama Humanpapilloma virus (HPV). Terdapat lebih dari 40 jenis HPV yang dapat menginfeksi daerah kelamin laki-laki dan perempuan. Jenis HPV ini juga dapat menginfeksi mulut dan tenggorokan. Kebanyakan orang yang terinfeksi dengan HPV bahkan tidak tahu mereka memilikinya. HPV tidak sama dengan herpes atau HIV (AIDS).